High-level Socket Filter DSL for BPF programs.
Socket filter programs can be attached to sockets to filter incoming packets. They run on each packet and decide whether to pass or drop it.
Return values:
0: Number of bytes to pass (use packet length to pass all)
Socket filters use __sk_buff as context (same as TC).
Example: (defsocket-filter-instructions allow-all {:default-action :accept} [])
High-level Socket Filter DSL for BPF programs.
Socket filter programs can be attached to sockets to filter
incoming packets. They run on each packet and decide whether
to pass or drop it.
Return values:
- 0: Drop the packet
- >0: Number of bytes to pass (use packet length to pass all)
Socket filters use __sk_buff as context (same as TC).
Example:
(defsocket-filter-instructions allow-all
{:default-action :accept}
[])(build-socket-filter {:keys [ctx-reg data-reg data-end-reg body default-action]
:or
{data-reg :r2 data-end-reg :r3 default-action :accept}})Build a complete socket filter program.
Parameters:
Returns assembled program bytes.
Build a complete socket filter program. Parameters: - opts: Map with: :ctx-reg - Register to save __sk_buff pointer (optional) :data-reg - Register for data pointer (default :r2) :data-end-reg - Register for data_end (default :r3) :body - Vector of body instructions :default-action - :accept or :reject (default :accept) Returns assembled program bytes.
(defsocket-filter-instructions fn-name options & body)Define a socket filter program as a function returning instructions.
Parameters:
Example: (defsocket-filter-instructions accept-all {:default-action :accept} [])
Define a socket filter program as a function returning instructions.
Parameters:
- fn-name: Name for the defined function
- options: Map with:
:ctx-reg - Register to save context (optional)
:data-reg - Register for data pointer (default :r2)
:data-end-reg - Register for data_end (default :r3)
:default-action - :accept or :reject (default :accept)
- body: Body expressions (should return vectors of instructions)
Example:
(defsocket-filter-instructions accept-all
{:default-action :accept}
[])(make-socket-filter-info program-name instructions)Create program metadata for a socket filter.
Parameters:
Returns map with program metadata.
Create program metadata for a socket filter. Parameters: - program-name: Name for the BPF program - instructions: Program instructions Returns map with program metadata.
(msg-redirect-hash ctx-reg map-fd key-ptr-reg flags)Generate instructions for bpf_msg_redirect_hash helper (SK_MSG).
Redirects message to a socket in SOCKHASH.
Parameters:
Returns vector of instruction bytes.
Generate instructions for bpf_msg_redirect_hash helper (SK_MSG). Redirects message to a socket in SOCKHASH. Parameters: - ctx-reg: Register containing sk_msg_md pointer - map-fd: SOCKHASH file descriptor - key-ptr-reg: Register containing pointer to key - flags: Flags value (usually 0) Returns vector of instruction bytes.
(msg-redirect-map ctx-reg map-fd key flags)Generate instructions for bpf_msg_redirect_map helper (SK_MSG).
Redirects message to a socket in SOCKMAP.
Parameters:
Returns vector of instruction bytes.
Usage in SK_MSG verdict program: (msg-redirect-map :r6 sockmap-fd 0 0) (dsl/exit-insn)
Generate instructions for bpf_msg_redirect_map helper (SK_MSG). Redirects message to a socket in SOCKMAP. Parameters: - ctx-reg: Register containing sk_msg_md pointer - map-fd: SOCKMAP file descriptor - key: Key or register containing key - flags: Flags value (usually 0) Returns vector of instruction bytes. Usage in SK_MSG verdict program: (msg-redirect-map :r6 sockmap-fd 0 0) (dsl/exit-insn)
(msg-redirect-map-with-fallback ctx-reg map-fd key)Generate SK_MSG redirect with fallback to pass.
Parameters:
Returns vector of instruction bytes.
Generate SK_MSG redirect with fallback to pass. Parameters: - ctx-reg: Register containing context pointer - map-fd: SOCKMAP file descriptor - key: Key value or register Returns vector of instruction bytes.
(sk-msg-action action)Get SK_MSG action value.
Get SK_MSG action value.
(sk-msg-drop)Generate instructions to drop message (SK_DROP).
Returns vector of instructions.
Generate instructions to drop message (SK_DROP). Returns vector of instructions.
(sk-msg-load-field ctx-reg dst-reg field)Load a field from sk_msg_md context.
Parameters:
Returns ldx instruction.
Load a field from sk_msg_md context. Parameters: - ctx-reg: Register containing context pointer - dst-reg: Destination register - field: Field keyword from sk-msg-offsets Returns ldx instruction.
(sk-msg-offset field)Get offset for sk_msg_md field.
Get offset for sk_msg_md field.
Offsets in sk_msg_md context structure.
Offsets in sk_msg_md context structure.
(sk-msg-pass)Generate instructions to pass message (SK_PASS).
Returns vector of instructions.
Generate instructions to pass message (SK_PASS). Returns vector of instructions.
(sk-msg-prologue ctx-reg data-reg data-end-reg)Generate SK_MSG program prologue.
SK_MSG programs receive sk_msg_md as context.
Parameters:
Returns vector of instructions.
Generate SK_MSG program prologue. SK_MSG programs receive sk_msg_md as context. Parameters: - ctx-reg: Register to save context pointer (required for SK_MSG) - data-reg: Register for data pointer - data-end-reg: Register for data_end pointer Returns vector of instructions.
(sk-msg-section-name)(sk-msg-section-name name)Generate ELF section name for SK_MSG program.
Generate ELF section name for SK_MSG program.
(sk-redirect-hash map-fd key-ptr-reg flags)Generate instructions for bpf_sk_redirect_hash helper (SK_SKB).
Redirects stream data to a socket in SOCKHASH.
Parameters:
Returns vector of instruction bytes.
Generate instructions for bpf_sk_redirect_hash helper (SK_SKB). Redirects stream data to a socket in SOCKHASH. Parameters: - map-fd: SOCKHASH file descriptor - key-ptr-reg: Register containing pointer to key - flags: Flags value (usually 0) Returns vector of instruction bytes.
(sk-redirect-map map-fd key flags)Generate instructions for bpf_sk_redirect_map helper (SK_SKB).
Redirects stream data to a socket in SOCKMAP.
Parameters:
Returns vector of instruction bytes.
Usage in SK_SKB verdict program: (sk-redirect-map sockmap-fd 0 0) (dsl/exit-insn)
Generate instructions for bpf_sk_redirect_map helper (SK_SKB). Redirects stream data to a socket in SOCKMAP. Parameters: - map-fd: SOCKMAP file descriptor - key: Key or register containing key - flags: Flags value (usually 0) Returns vector of instruction bytes. Usage in SK_SKB verdict program: (sk-redirect-map sockmap-fd 0 0) (dsl/exit-insn)
(sk-redirect-map-with-fallback map-fd key)Generate SK_SKB redirect with fallback to pass.
Redirects to SOCKMAP, falls back to SK_PASS if redirect fails.
Parameters:
Returns vector of instruction bytes.
Generate SK_SKB redirect with fallback to pass. Redirects to SOCKMAP, falls back to SK_PASS if redirect fails. Parameters: - map-fd: SOCKMAP file descriptor - key: Key value or register Returns vector of instruction bytes.
(sk-skb-action action)Get SK_SKB action value.
Get SK_SKB action value.
(sk-skb-drop)Generate instructions to drop data (SK_DROP).
Returns vector of instructions.
Generate instructions to drop data (SK_DROP). Returns vector of instructions.
(sk-skb-pass)Generate instructions to pass data to socket (SK_PASS).
Returns vector of instructions.
Generate instructions to pass data to socket (SK_PASS). Returns vector of instructions.
(sk-skb-prologue data-reg data-end-reg)(sk-skb-prologue ctx-reg data-reg data-end-reg)Generate SK_SKB program prologue.
SK_SKB programs receive __sk_buff as context, same as socket filters.
Parameters:
Returns vector of instructions.
Generate SK_SKB program prologue. SK_SKB programs receive __sk_buff as context, same as socket filters. Parameters: - ctx-reg: Register to save context pointer (optional) - data-reg: Register for data pointer - data-end-reg: Register for data_end pointer Returns vector of instructions.
(sk-skb-section-name type)(sk-skb-section-name type name)Generate ELF section name for SK_SKB program.
Parameters:
Generate ELF section name for SK_SKB program. Parameters: - type: :parser or :verdict - name: Optional program name
(sock-hash-update map-fd key-ptr-reg flags)Generate instructions for bpf_sock_hash_update helper.
Updates SOCKHASH with current socket.
Parameters:
Returns vector of instruction bytes.
Generate instructions for bpf_sock_hash_update helper. Updates SOCKHASH with current socket. Parameters: - map-fd: SOCKHASH file descriptor - key-ptr-reg: Register containing pointer to key - flags: Update flags (usually BPF_ANY = 0) Returns vector of instruction bytes.
(sock-map-update map-fd key flags)Generate instructions for bpf_sock_map_update helper.
Updates SOCKMAP with current socket. Used in sockops or cgroup programs to add sockets to the map.
Parameters:
Returns vector of instruction bytes.
Generate instructions for bpf_sock_map_update helper. Updates SOCKMAP with current socket. Used in sockops or cgroup programs to add sockets to the map. Parameters: - map-fd: SOCKMAP file descriptor - key: Key or register containing key - flags: Update flags (usually BPF_ANY = 0) Returns vector of instruction bytes.
(socket-accept ctx-reg)Generate instructions to accept packet (return packet length).
Parameters:
Returns vector of instructions that returns the packet length.
Generate instructions to accept packet (return packet length). Parameters: - ctx-reg: Register containing __sk_buff pointer Returns vector of instructions that returns the packet length.
(socket-accept-bytes num-bytes)Generate instructions to accept specific number of bytes.
Parameters:
Returns vector of instructions.
Generate instructions to accept specific number of bytes. Parameters: - num-bytes: Number of bytes to accept Returns vector of instructions.
(socket-action action)Get socket filter action value.
Parameters:
Returns integer value.
Note: :accept returns -1 as a marker; you should return actual packet length for accept. Use socket-accept for this.
Get socket filter action value. Parameters: - action: :reject (0) or :accept (packet length) Returns integer value. Note: :accept returns -1 as a marker; you should return actual packet length for accept. Use socket-accept for this.
Socket filter return values.
Socket filter return values.
(socket-filter-by-ip data-reg data-end-reg ip-addr src-or-dst accept-on-match)Generate filter to match source or destination IP.
Parameters:
Returns vector of instructions.
Generate filter to match source or destination IP. Parameters: - data-reg: Register with data pointer - data-end-reg: Register with data_end pointer - ip-addr: IP address as integer - src-or-dst: :src or :dst - accept-on-match: Accept if IP matches Returns vector of instructions.
(socket-filter-by-port data-reg
data-end-reg
ip-offset
port
src-or-dst
accept-on-match)Generate filter to match TCP/UDP port.
Parameters:
Returns vector of instructions.
Note: This assumes TCP/UDP header follows IP header directly. For variable-length IP headers, calculate IHL first.
Generate filter to match TCP/UDP port. Parameters: - data-reg: Register with data pointer - data-end-reg: Register with data_end pointer - ip-offset: IP header offset (usually ethernet-header-size) - port: Port number to match (host byte order) - src-or-dst: :src or :dst - accept-on-match: Accept if port matches (true) or reject (false) Returns vector of instructions. Note: This assumes TCP/UDP header follows IP header directly. For variable-length IP headers, calculate IHL first.
(socket-filter-by-protocol data-reg data-end-reg protocol accept-on-match)Generate filter to match IP protocol.
Parameters:
Returns vector of instructions.
Generate filter to match IP protocol. Parameters: - data-reg: Register with data pointer - data-end-reg: Register with data_end pointer - protocol: IP protocol number (6=TCP, 17=UDP, 1=ICMP) - accept-on-match: Accept if protocol matches (true) or reject (false) Returns vector of instructions.
(socket-filter-section-name)(socket-filter-section-name name)Generate ELF section name for socket filter.
Returns "socket" or "socket/<name>".
Generate ELF section name for socket filter. Returns "socket" or "socket/<name>".
(socket-get-ifindex ctx-reg dst-reg)Get interface index from sk_buff.
Parameters:
Returns ldx instruction.
Get interface index from sk_buff. Parameters: - ctx-reg: Register containing __sk_buff pointer - dst-reg: Destination register Returns ldx instruction.
(socket-get-len ctx-reg dst-reg)Get packet length from sk_buff.
Parameters:
Returns ldx instruction.
Get packet length from sk_buff. Parameters: - ctx-reg: Register containing __sk_buff pointer - dst-reg: Destination register Returns ldx instruction.
(socket-get-protocol ctx-reg dst-reg)Get protocol from sk_buff.
Parameters:
Returns ldx instruction.
Get protocol from sk_buff. Parameters: - ctx-reg: Register containing __sk_buff pointer - dst-reg: Destination register Returns ldx instruction.
(socket-prologue data-reg data-end-reg)(socket-prologue ctx-save-reg data-reg data-end-reg)Generate standard socket filter prologue.
Saves context and loads data pointers.
Parameters:
Returns vector of instructions.
Generate standard socket filter prologue. Saves context and loads data pointers. Parameters: - ctx-save-reg: Register to save __sk_buff pointer (optional) - data-reg: Register for data pointer - data-end-reg: Register for data_end pointer Returns vector of instructions.
(socket-reject)Generate instructions to reject/drop packet.
Returns vector of instructions.
Generate instructions to reject/drop packet. Returns vector of instructions.
cljdoc builds & hosts documentation for Clojure/Script libraries
| Ctrl+k | Jump to recent docs |
| ← | Move to previous article |
| → | Move to next article |
| Ctrl+/ | Jump to the search field |